Products Affected

Description

Multiple SONY Videoconference Systems have a default user account which does not require authentication to login to a device (CWE-306).
This user account has a privilege to view some of the system configuration files. As a result, the device may be manipulated by an attacker with administrative privileges.

telnet/ssl functionality is implemented based on the specifications in the device, and it is disabled by default. When this functionality is enabled, a user in the same subnetwork can login to the device.

Impact

The device may be logged in by the other user in the same subnetwork. As a result, the device may be manipulated by the user with administrative privileges.

Credit

Sony Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Sony Corporation coordinated under the Information Security Early Warning Partnership.